Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON

From: /.dz (dz_at_discussions.microsoft.com)
Date: 03/16/05

  • Next message: Les: "Re: Renaming W2K AD Administrator Account" 
    Date: Wed, 16 Mar 2005 13:41:05 -0800

    Steve:
    First thanks very much for the response. I've noticed that your name is on
    a lot of the responses in this forum and I appreciate the help as much as I'm
    sure the other people do as well.

    So anytime you get tired of this thread, it will probably die -- but I will
    continue to ask questions as long as you continue to respond.

    In your response, you mentioned 'null sessions'. In other articles I've
    read, there is a reference to using the statement [net use \\servername\ipc$
    """" /u:""] to check if null sessions are able to be created. When I
    attempted this statement from my workstation, targetting the 'servername'
    being discussed in this posting, I received the "Logon failure: unknown user
    name or bad password" message at the workstation, and the server logged an
    event 529 Logon failure, explicitly indicating my userid, workstation, and
    domain. From this info, I'm assuming that the 'null sessions' discussion
    does not apply to my situation. Is that a valid conclusion? Also, the
    Computer Browser service is disabled (and has been since installation) on the
    server. Am I also 'on-track' here in that these two items are directly
    related? (That is, 'null sessions' are enabled - i.e., required - for the
    Computer Browser service to function)

    I want to ask about the other items in your response as well, but to keep
    the dialog within reasonable bounds, I'm electing to go through it one item
    at a time --- starting (I think) with the most clearcut.

    Also in this thread, I need to about the 'Client for Microsoft Networks' .
    The server has this protocol enabled. Two further questions: a) This client
    is only necessary if the computer (the server in this case) wants to access
    other NETBIOS resources on the net; it is not required for other computers on
    the net to reach its (the server's) resources. Is this correct? b) the
    'Client for Microsoft Networks' is not responsible for the 538 logout events
    mentioned in the original post?

    Any further dialog is greatly appreciated.
    ./dz

    "Steven L Umbach" wrote:

    > It is common to see those Events on computers using Windows networking and
    > that have file and print sharing and Client for Microsoft networks enabled.
    > Those often are null sessions used by the computer browser service. While
    > null sessions can be used to enumerate users, groups, and shares you can
    > mitigate the risk by using a firewall to prevent internet access to null
    > sessions, enforcing strong passwords on your network, and making sure your
    > share/folder permissions only allow authorized users access.
    >
    > There are things you can do to reduce there occurrence as ling as the
    > changes do not interfere with your network access for users. For instance
    > disabling netbios over tcp/ip, disabling the computer browser service, and
    > configuring the security option for "additional restrictions for anonymous
    > access" to be " no access without explicit anonymous permissions". If you
    > disable netbios over tcp/ip on a computer it will no longer show in or be
    > able to use My Network Places but access to shares can still be done via
    > fully qualified domain name or possibly even netbios name as long as dns can
    > resolve the non FQDN by appending parent suffix to the request. The link
    > below explains anonymous access more and the security option to restrict it
    > along with possible consequences of doing such. --- Steve
    >
    > http://support.microsoft.com/?kbid=246261
    >
    > "/.dz" </.dz@discussions.microsoft.com> wrote in message
    > news:480AE832-9FE3-4740-A265-6F6CA5A898FD@microsoft.com...
    > > The security event log on our W2K, SP4 server has hundreds of the above
    > > messages in it. There are no associated 'logon' events, just the 'logoff'
    > > events.
    > >
    > > File and Print sharing is enabled on this server.
    > >
    > > There are several published file shares (all hidden); and there are
    > > individuals who are authorized to use those shares. The security log does
    > > contain 540/538 'pairs' that reflect the credentials of these known users
    > > (user/domain). (These are also 'Logon Type 3') But the number of 538 NT
    > > AUTHORITY/ANONYMOUS LOGON events absolutely dwarfs the number of "known
    > > user"
    > > logon/logoff events.
    > >
    > > The server itself is not a domain controller. It was until recently a
    > > member of a NT domain, and now is under AD (I don't know how to state that
    > > with any accuracy). 'Known user' logon/logoff events are present for
    > > both
    > > the 'older' NT domain, and the newer 'AD' whatever).
    > >
    > > I've scoured newsgroups and the MS web site without any luck whatsoever.
    > > Any feedback would be greatly appreciated.
    > >
    >
    >
    >

  • Next message: Les: "Re: Renaming W2K AD Administrator Account"

    Relevant Pages